Overview#

Digital Assertions as in SAML#

An assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three different kinds of assertion statement that can be created by a SAML authority.

SAML assertions are compounds of one or more of three kinds of "statement" about Digital Subject (human or program):

• SAML Authentication Statement
• SAML Attribute Statement
• SAML Authorization Decision Statement

SAML can be extended to incorporate many kinds of assertions and statements

Assertions can, and probably should, be digitally signed

Common information#

All SAML assertions share some common information:

• Assertion ID - Who is making the Claim
• Issuer ID and issuance timestamp
• Subject - The Digital Subject that the claims are about
  • Name plus the security domain
  • Optional subject confirmation, e.g. public key
• "Conditions" under which assertion is valid
  • SAML clients must reject assertions containing unsupported conditions
  • Special kind of condition: assertion validity period
• Additional "advice" - E.g., to explain how the assertion was made

SAML assertion Structure Image #

The outer structure of an assertion is generic, providing information that is common to all of the statements within it. Within an assertion, a series of inner elements describe the SAML Authentication Statement, SAML Attribute Statement, SAML Authorization Decision Statement, or user-defined statements containing the specifics.

The diagram below illustrates the high-level structure of a typical SAML authentication assertion.

Sample common information assertion#

<saml:Assertion
    MajorVersion="1" MinorVersion="0"
    AssertionID="192.168.1.12.3456"
    Issuer="services.willeke.biz"
    IssueInstant="2009-12-03T10:02:00Z">
    <saml:Conditions
        NotBefore="2009-12-03T10:00:00Z"
        NotOnOrAfter="2009-12-03T10:05:00Z">
        <saml:AudienceRestrictionCondition>
            <saml:Audience>…URI…</saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:Advice>
        .. a variety of elements can go here..
    </saml:Advice>
    ...statements go here...
    </saml:Assertion>

The saml: namespace corresponds to an XML Schema that just focuses on assertions.So far, we have decided that unique identifiers like AssertionID are essentially opaque to SAML; it’s up to you to ensure that they’re unique in the domain you care about.

More Information#

There might be more information for this subject on one of the following:

• Digital Subject
• FAL 2
• Glossary Of LDAP And Directory Terminology
• IDP-Initiated SSO-POST
• Identity Broker
• SAML
• SP-Initiated SSO-POST-POST
• Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
• Security Token
• Token Binding over HTTP
• Web Blog_blogentry_231215_1